Question regarding a vulnerability (CVE-2023-45288), vuln scans & results publishing

[juanibuqt]

Hello team,

I am writing to you because of the following:

Reviewing past vulnerabilities found in Kaniko, I encountered the Platform One log for hardened containers, and there is a Kaniko repo there as well:

Overview - Iron Bank

Iron Bank Containers / Opensource / Kaniko / Kaniko - GitLab

Iron Bank Containers / dccscr - GitLab

Now, checking their pipeline (they use some tools, like anchore-scan, openscap-compliance and twistlock-scan)
(https://repo1.dso.mil/dsop/opensource/kaniko/kaniko/-/pipelines/3142932)
I noticed that in their last scan, a vulnerability was found:

twistlock-scan (#33588235) - Jobs - Iron Bank Containers / Opensource / Kaniko / Kaniko - GitLab (CVE-2023-45288 - Moderate)

I understand that the scanned version in this repo, is kaniko:v1.22.0, which is the latest released version (Release 2024-03-26) Release v1.22.0 Release - GoogleContainerTools/kaniko

Questions:

1. Are you already aware of this vulnerability?
2. Is it possible to check the results of your vulnerability scans, which are done every night with anchore-grype? This could be a good complement (I noticed that the results are shown in a txt file, but I couldn't find the results in this repository).

Thank you!

[juanibuqt]

Hi, any update about this? Ty!

[aaron-prindle]

Hi @juanibuqt, currently our team is using Grype for image scanning and vuln reporting. As of today (5/28/2024) grype reports that our latest release, Kaniko v1.23.0, has no fixable vulns found:

aprindle@aprindle-ssd ~/kaniko  [main]grype gcr.io/kaniko-project/executor:v1.23.0
 ✔ Vulnerability DB        [updated]
New version of grype is available: 0.78.0 (currently running: 0.61.0)
 ✔ Loaded image            
 ✔ Parsed image            
 ✔ Cataloged packages      [214 packages]
 ✔ Scanning image...       [2 vulnerabilities]
   ├── 0 critical, 1 high, 1 medium, 0 low, 0 negligible
   └── 0 fixed
No vulnerabilities found

I am not familiar with Iron Bank or the image scans there. Does this scan the latest release of Kaniko or is a custom image? From looking at the flagged CVE, CVE-2023-45288, it is related to golang net/http & golang.org/x/net/http2:

https://nvd.nist.gov/vuln/detail/CVE-2023-45288
https://pkg.go.dev/vuln/GO-2024-2687

We continuosly update golang.org/x/net from our dependabot usage, see last merged PR below (in the last release):
#3113

Additionally we use go 1.22 for our builds which should use a patched net/http IIUC.

Do you have any suggestions here as to how to proceed? Currently our scanners aren't flagging this CVE and from looking at the CVE mentioned here I believe we should have patched that issue (could be wrong). Let me know if you have any additional details or suggestions - thanks!